Automatically enroll macOS devices with the Device Enrollment Program or Apple School Manager
You can set up Intune enrollment for macOS devices purchased through Apple's Device Enrollment Program (DEP) or Apple School Manager. You can use either of these enrollments for large numbers of devices without ever touching them. You can ship macOS devices directly to users. When the user turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into Intune management.
To set up enrollment, you use both the Intune and Apple DEP portals. You create enrollment profiles containing settings that applied to devices during enrollment.
Neither DEP enrollment or Apple School Manager work with the device enrollment manager.
- Devices purchased in Apple School Manager or Apple's Device Enrollment Program
- A list of serial numbers or a purchase order number.
- MDM Authority
- Apple MDM Push certificate
Get an Apple DEP token
Before you can enroll macOS devices with DEP or Apple School Manager, you need a DEP token (.p7m) file from Apple. This token lets Intune sync information about the devices that your organization owns. It also lets Intune upload enrollment profiles to Apple and to these profiles to devices.
You use the Apple portal to create a token. You also use the Apple portal to assign devices to Intune for management.
If you delete the token from the Intune classic portal before migrating to Azure, Intune might restore a deleted Apple token. You can delete the token again from the Azure portal.
Step 1. Download the Intune public key certificate required to create the token
In the Intune in the Azure portal, choose Device enrollment > Apple enrollment > Enrollment Program Tokens > Add.
Grant permission to Microsoft to send user and device information to Apple by selecting I agree.
Choose Download your public key to download and save the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple portal.
Step 2. Use your key to download a token from Apple
Choose Create a token for Apple's Device Enrollment Program or Create a token via Apple School Manager to open the appropriate Apple portal, and sign in with your company Apple ID. You can use this Apple ID to renew your token.
For DEP, in the Apple portal, choose Get Started for Device Enrollment Program > Manage Servers > Add MDM Server.
For Apple School Manage, in the Apple portal, choose MDM Servers > Add MDM Server.
Enter the MDM Server Name, and then choose Next. The server name is for your reference to identify the mobile device management (MDM) server. It is not the name or URL of the Microsoft Intune server.
The Add <ServerName> dialog box opens, stating Upload Your Public Key. Choose Choose File… to upload the .pem file, and then choose Next.
Go to Deployment Programs > Device Enrollment Program > Manage Devices.
Under Choose Devices By, specify how devices are identified:
- Serial Number
- Order Number
- Upload CSV File.
For Choose Action, choose Assign to Server, choose the <ServerName> specified for Microsoft Intune, and then choose OK. The Apple portal assigns the specified devices to the Intune server for management and then displays Assignment Complete.
Step 3. Save the Apple ID used to create this token
In Intune in the Azure portal, provide the Apple ID for future reference.
Step 4. Upload your token
In the Apple token box, browse to the certificate (.pem) file, choose Open, and then choose Create. With the push certificate, Intune can enroll and manage macOS devices by pushing policy to enrolled devices. Intune automatically synchronizes with Apple to see your enrollment program account.
Create an Apple enrollment profile
Now that you've installed your token, you can create an enrollment profile for devices. A device enrollment profile defines the settings applied to a group of devices during enrollment.
In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens.
Select a token, choose Profiles, and then choose Create profile.
Under Create Profile, enter a Name and Description for the profile for administrative purposes. Users do not see these details. You can use this Name field to create a dynamic group in Azure Active Directory. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about Azure Active Directory dynamic groups.
For Platform, choose macOS.
For User Affinity, choose whether or not devices with this profile must enroll with or without an assigned user.
Enroll with User Affinity - Choose this option for devices that belong to users and that want to use the Company Portal app for services like installing apps. If using ADFS, user affinity requires WS-Trust 1.3 Username/Mixed endpoint. Learn more.Multifactor authentication is not supported for macOS DEP devices with user affinity.
Enroll without User Affinity - Choose this option for device unaffiliated with a single user. Use this for devices that perform tasks without accessing local user data. Apps like the Company Portal app don’t work.
Choose Device Management Settings and Choose whether or not you want locked enrollment for devices using this profile. Locked enrollment disables macOS settings that allow the management profile to be removed from the System Preferences menu or through the Terminal. After device enrollment, you cannot change this setting without wiping the device.
Choose Setup Assistant Settings to configure the following profile settings:
Department settings Description Department Name Appears when users tap About Configuration during activation. Department Phone Appears when the user clicks the Need Help button during activation.
You can choose to show or hide a variety of Setup Assistant screens on the device when the user sets it up.
- If you choose Hide, the screen won't be displayed during setup. After setting up the device, the user can still go in to the Settings menu to set up the feature.
- If you choose Show, the screen will be displayed during setup. The user can sometimes skip the screen without taking action. But they can then later go into the device's Settings menu to set up the feature.
Setup Assistant screen settings If you choose Show, during setup the device will... Passcode Prompt the user for a passcode. Always require a passcode unless the device is secured or has access controlled in some other manner (that is, kiosk mode that restricts the device to one app). Location Services Prompt the user for their location. Restore Display the Apps & Data screen. This screen gives the user the option to restore or transfer data from iCloud Backup when they set up the device. iCloud and Apple ID Give the user the options to sign in with their Apple ID and use iCloud. Terms and Conditions Require the user to accept Apple's terms and conditions. Touch ID Give the user the option to set up fingerprint identification for the device. Apple Pay Give the user the option to set up Apple Pay on the device. Zoom Give the user to the option to zoom the display when they set up the device. Siri Give the user the option to set up Siri. Diagnostic Data Display the Diagnostics screen to the user. This screen gives the user the option to send diagnostic data to Apple. FileVault Give the user the option to set up FileVault encryption. iCloud Diagnostics Give the user the option to send iCloud diagnostic data to Apple. iCloud Storage Give the user the option to use iCloud storage. Display Tone Give the user the option to turn on Display Tone. Appearance Display the Appearance screen to the user. Registration Require the user to register the device. Privacy Display the Privacy screen to the user. Screen Time Display the Screen Time screen to the user.
To save the profile, choose Create.
Sync managed devices
Now that Intune has permission to manage your devices, you can synchronize Intune with Apple to see your managed devices in Intune in the Azure portal.
In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens > choose a token in the list > Devices > Sync.
To comply with Apple’s terms for acceptable enrollment program traffic, Intune imposes the following restrictions:
- A full sync can run no more than once every seven days. During a full sync, Intune fetches the complete updated list of serial numbers assigned to the Apple MDM server connected to Intune. After an Enrollment Program device is deleted from Intune portal without being unassigned from the Apple MDM server in the DEP portal, it won't be re-imported to Intune until the full sync is run.
- A sync is run automatically every 24 hours. You can also sync by clicking the Sync button (no more than once every 15 minutes). All sync requests are given 15 minutes to finish. The Sync button is disabled until a sync is completed. This sync will refresh existing device status and import new devices assigned to the Apple MDM server.
Assign an enrollment profile to devices
You must assign an enrollment program profile to devices before they can enroll.
- In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens > choose a token in the list.
- Choose Devices > choose devices in the list > Assign profile.
- Under Assign profile, choose a profile for the devices > Assign.
Assign a default profile
You can pick a default macOS and iOS profile to be applied to all devices enrolling with a specific token.
- In Intune in the Azure portal, choose Device enrollment > Apple enrollment > Enrollment program tokens > choose a token in the list.
- Choose Set Default Profile, choose a profile in the drop-down list, and then choose Save. This profile will be applied to all devices that enroll with the token.
You have enabled management and syncing between Apple and Intune, and assigned a profile to let your devices enroll. You can now distribute devices to users. Devices with user affinity require each user be assigned an Intune license. Devices without user affinity require a device license. An activated device cannot apply an enrollment profile until the device is wiped.
Renew a DEP token
Go to deploy.apple.com.
Under Manage Servers, choose your MDM server associated with the token file that you want to renew.
Choose Generate New Token.
Choose Your Server Token.
In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens > choose the token.
Choose Renew token and enter the Apple ID used to create the original token.
Upload the newly downloaded token.
Choose Renew token. You'll see the confirmation that the token was renewed.
After enrolling macOS devices, you can start managing them.